tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vijay <amirisetty.vijayaragha...@gmail.com>
Subject clear text keystore password in server.xml
Date Fri, 27 Aug 2010 09:41:23 GMT
Hello,
         I am looking to secure the keystore password that is stored as
clear text in server.xml.
Looking at the various online forums, here are the suggested options I came
across:

   1. Restrict the access permissions of server.xml so that only the
   administrator is able to access server.xml
   2. Do not save the keystore password in server.xml. Instead use the
   system property -Djavax.net.ssl.keyStorePassword="clear text keystore
   password" to pass the password to tomcat. [this is available in Tomcat
   5.5.29 onwards <https://issues.apache.org/bugzilla/show_bug.cgi?id=38774>
   ]


Problem with both the approaches is that the password is in clear text and
we deem it as a potential security risk.

I am looking for a way to use only encrypted passwords.

I am looking to write a wrapper class that decrypts the password passed as
an environment variable to tomcat, and then sets the system property
javax.net.ssl.keyStorePassword inside the JVM itself.

Something in the lines of :

public class WrapperTomcatBootstrap {

    public static void main(String args[]) {
        String encryptedKeystorePassword =
System.getenv("ENCRYPTED_KEYSTORE_PASSWORD");
        if(encryptedKeystorePassword != null) {
            String decryptedPassword =
PcsfCryptographer.decryptData(encryptedKeystorePassword);
            System.setProperty("javax.net.ssl.keyStorePassword",
decryptedPassword);
        }
        Bootstrap.main(args);
    }
}

For some reason this doesnt seem to work. Tomcat is listening on both
http/https mode, requests to http port are getting redirected to the https
port.. but no web pages are being served. Nothing in the logs too :(


   - Are there an problems with the approach above ?
   - Is there a better way to work with encrypted passwords?

The tomcat version I am using is 5.5.30

Thanks in advance for any pointers/ suggestions in this direction!
Vijay

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message